From f5ecec3ce21f706e9e7a330b2e8e5a2941927b46 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 13 Apr 2016 09:40:59 +0300
Subject: btrfs: send: silence an integer overflow warning

The "sizeof(*arg->clone_sources) * arg->clone_sources_count" expression
can overflow.  It causes several static checker warnings.  It's all
under CAP_SYS_ADMIN so it's not that serious but lets silence the
warnings.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
---
 fs/btrfs/send.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'fs/btrfs/send.c')

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 8d358c547c59..ec433795fa71 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -5978,6 +5978,12 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
 		goto out;
 	}
 
+	if (arg->clone_sources_count >
+	    ULLONG_MAX / sizeof(*arg->clone_sources)) {
+		ret = -EINVAL;
+		goto out;
+	}
+
 	if (!access_ok(VERIFY_READ, arg->clone_sources,
 			sizeof(*arg->clone_sources) *
 			arg->clone_sources_count)) {
-- 
cgit v1.2.3


From 6ff48ce06b07255a6459cd8b816a110971a81f00 Mon Sep 17 00:00:00 2001
From: David Sterba <dsterba@suse.com>
Date: Mon, 11 Apr 2016 18:40:08 +0200
Subject: btrfs: send: use vmalloc only as fallback for send_buf

Signed-off-by: David Sterba <dsterba@suse.com>
---
 fs/btrfs/send.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'fs/btrfs/send.c')

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index ec433795fa71..b6e2c6ec4ee5 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -6028,10 +6028,13 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
 	sctx->clone_roots_cnt = arg->clone_sources_count;
 
 	sctx->send_max_size = BTRFS_SEND_BUF_SIZE;
-	sctx->send_buf = vmalloc(sctx->send_max_size);
+	sctx->send_buf = kmalloc(sctx->send_max_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!sctx->send_buf) {
-		ret = -ENOMEM;
-		goto out;
+		sctx->send_buf = vmalloc(sctx->send_max_size);
+		if (!sctx->send_buf) {
+			ret = -ENOMEM;
+			goto out;
+		}
 	}
 
 	sctx->read_buf = vmalloc(BTRFS_SEND_READ_SIZE);
@@ -6220,7 +6223,7 @@ out:
 			fput(sctx->send_filp);
 
 		vfree(sctx->clone_roots);
-		vfree(sctx->send_buf);
+		kvfree(sctx->send_buf);
 		vfree(sctx->read_buf);
 
 		name_cache_free(sctx);
-- 
cgit v1.2.3


From eb5b75fe2e61a9ba907785b70318736112b0cf93 Mon Sep 17 00:00:00 2001
From: David Sterba <dsterba@suse.com>
Date: Mon, 11 Apr 2016 18:40:08 +0200
Subject: btrfs: send: use vmalloc only as fallback for read_buf

Signed-off-by: David Sterba <dsterba@suse.com>
---
 fs/btrfs/send.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'fs/btrfs/send.c')

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index b6e2c6ec4ee5..4e950ebbef53 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -6037,10 +6037,13 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
 		}
 	}
 
-	sctx->read_buf = vmalloc(BTRFS_SEND_READ_SIZE);
+	sctx->read_buf = kmalloc(BTRFS_SEND_READ_SIZE, GFP_KERNEL | __GFP_NOWARN);
 	if (!sctx->read_buf) {
-		ret = -ENOMEM;
-		goto out;
+		sctx->read_buf = vmalloc(BTRFS_SEND_READ_SIZE);
+		if (!sctx->read_buf) {
+			ret = -ENOMEM;
+			goto out;
+		}
 	}
 
 	sctx->pending_dir_moves = RB_ROOT;
@@ -6224,7 +6227,7 @@ out:
 
 		vfree(sctx->clone_roots);
 		kvfree(sctx->send_buf);
-		vfree(sctx->read_buf);
+		kvfree(sctx->read_buf);
 
 		name_cache_free(sctx);
 
-- 
cgit v1.2.3


From e55d1153dbf48485a74eb4bf4eefeaedcf1486a9 Mon Sep 17 00:00:00 2001
From: David Sterba <dsterba@suse.com>
Date: Mon, 11 Apr 2016 18:52:02 +0200
Subject: btrfs: send: use temporary variable to store allocation size

We're going to use the argument multiple times later.

Signed-off-by: David Sterba <dsterba@suse.com>
---
 fs/btrfs/send.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'fs/btrfs/send.c')

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 4e950ebbef53..4f85a47c2f55 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -5939,6 +5939,7 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
 	u32 i;
 	u64 *clone_sources_tmp = NULL;
 	int clone_sources_to_rollback = 0;
+	unsigned alloc_size;
 	int sort_clone_roots = 0;
 	int index;
 
@@ -6050,24 +6051,25 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
 	sctx->waiting_dir_moves = RB_ROOT;
 	sctx->orphan_dirs = RB_ROOT;
 
-	sctx->clone_roots = vzalloc(sizeof(struct clone_root) *
-			(arg->clone_sources_count + 1));
+	alloc_size = sizeof(struct clone_root) * (arg->clone_sources_count + 1);
+
+	sctx->clone_roots = vzalloc(alloc_size);
 	if (!sctx->clone_roots) {
 		ret = -ENOMEM;
 		goto out;
 	}
 
+	alloc_size = arg->clone_sources_count * sizeof(*arg->clone_sources);
+
 	if (arg->clone_sources_count) {
-		clone_sources_tmp = vmalloc(arg->clone_sources_count *
-				sizeof(*arg->clone_sources));
+		clone_sources_tmp = vmalloc(alloc_size);
 		if (!clone_sources_tmp) {
 			ret = -ENOMEM;
 			goto out;
 		}
 
 		ret = copy_from_user(clone_sources_tmp, arg->clone_sources,
-				arg->clone_sources_count *
-				sizeof(*arg->clone_sources));
+				alloc_size);
 		if (ret) {
 			ret = -EFAULT;
 			goto out;
-- 
cgit v1.2.3


From c03d01f3404282712b9fd280297f133860c91c93 Mon Sep 17 00:00:00 2001
From: David Sterba <dsterba@suse.com>
Date: Mon, 11 Apr 2016 18:40:08 +0200
Subject: btrfs: send: use vmalloc only as fallback for clone_roots

Signed-off-by: David Sterba <dsterba@suse.com>
---
 fs/btrfs/send.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'fs/btrfs/send.c')

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 4f85a47c2f55..5a5d37b37150 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -6053,10 +6053,13 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
 
 	alloc_size = sizeof(struct clone_root) * (arg->clone_sources_count + 1);
 
-	sctx->clone_roots = vzalloc(alloc_size);
+	sctx->clone_roots = kzalloc(alloc_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!sctx->clone_roots) {
-		ret = -ENOMEM;
-		goto out;
+		sctx->clone_roots = vzalloc(alloc_size);
+		if (!sctx->clone_roots) {
+			ret = -ENOMEM;
+			goto out;
+		}
 	}
 
 	alloc_size = arg->clone_sources_count * sizeof(*arg->clone_sources);
@@ -6227,7 +6230,7 @@ out:
 		if (sctx->send_filp)
 			fput(sctx->send_filp);
 
-		vfree(sctx->clone_roots);
+		kvfree(sctx->clone_roots);
 		kvfree(sctx->send_buf);
 		kvfree(sctx->read_buf);
 
-- 
cgit v1.2.3


From 2f91306a37809907474a06c1defdb1ff50be06f0 Mon Sep 17 00:00:00 2001
From: David Sterba <dsterba@suse.com>
Date: Mon, 11 Apr 2016 18:40:08 +0200
Subject: btrfs: send: use vmalloc only as fallback for clone_sources_tmp

Signed-off-by: David Sterba <dsterba@suse.com>
---
 fs/btrfs/send.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'fs/btrfs/send.c')

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 5a5d37b37150..6a8c86074aa4 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -6065,10 +6065,13 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
 	alloc_size = arg->clone_sources_count * sizeof(*arg->clone_sources);
 
 	if (arg->clone_sources_count) {
-		clone_sources_tmp = vmalloc(alloc_size);
+		clone_sources_tmp = kmalloc(alloc_size, GFP_KERNEL | __GFP_NOWARN);
 		if (!clone_sources_tmp) {
-			ret = -ENOMEM;
-			goto out;
+			clone_sources_tmp = vmalloc(alloc_size);
+			if (!clone_sources_tmp) {
+				ret = -ENOMEM;
+				goto out;
+			}
 		}
 
 		ret = copy_from_user(clone_sources_tmp, arg->clone_sources,
@@ -6106,7 +6109,7 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
 			sctx->clone_roots[i].root = clone_root;
 			clone_sources_to_rollback = i + 1;
 		}
-		vfree(clone_sources_tmp);
+		kvfree(clone_sources_tmp);
 		clone_sources_tmp = NULL;
 	}
 
@@ -6224,7 +6227,7 @@ out:
 		btrfs_root_dec_send_in_progress(sctx->parent_root);
 
 	kfree(arg);
-	vfree(clone_sources_tmp);
+	kvfree(clone_sources_tmp);
 
 	if (sctx) {
 		if (sctx->send_filp)
-- 
cgit v1.2.3